make trusted forest account admin on local machine

Discussion in 'Server Migration' started by FigWiggleman, Jan 7, 2010.

  1. FigWiggleman

    FigWiggleman Guest

    We (us.com) have a forest trust with newly acquired partner (them.com).
    SID filtering disabled.
    us.com has a site and DC in their location. All of their IP subnets are part
    of that site definition.

    It was decided to migration workstations before users in our migration plan.
    User accounts to be migrated in future, but first we are migrating
    workstations.

    All clients are XP SP2 or better.
    Cross-forest access to file shares and printers on member servers from both
    forests is working by add global groups from one forest to a domain local
    group in the other forest.

    A them.com workstation is unjoined from it's domain and joined to us.com.
    (but stays in it's same physical location and retains it's same IP address.

    So during this transition period of our migration. A them.com user will log
    on to the same workstation they've always used, with their them.com user
    account, but that workstation is now a member of us.com. This way the user
    can continue to use the local profile they are accustomed to until we use
    the QUEST tools to migrate the user and local profile later.

    Problem. There is an application (call it "appl1") which "requires" local
    admin access on the local computer to run properly. But we have not been
    able to make that work. It's unloke this is the only app that will require
    some kind elevated access on the workstation and so we are looking for a
    consistent practice for meeting these requirements.

    Things we've tried...
    -We created an us.com\APPL1 domain local group, containing the
    them.com\APPL1Users global group, then added the us.com\APPL1 domain local
    group to the local administrators group.
    -We also tried same as above but added individual them.com\username accounts
    to us.com\APPL1 domain local group
    -We also tried adding the them.com\username to the local administrators
    group.

    None of these configurations have yielded admin rights on the workstations.
    When adding accounts (users or groups) to a local group on a workstation,
    the object picker does not enumerate the trusted domain (them.com), but
    using the them.com\username syntax will work for adding the user object. So
    we CAN add the account to the local group in the GUI, but the net effect
    does not yield admin rights on the workstation.

    Is this normal? Can you only grant admin rights via local group membership
    if the user has an account in the same domain as the computer account? Is
    the winlogon process able to include access tokens from the trusted forest?

    Thank you for any help you can provide.
     
    FigWiggleman, Jan 7, 2010
    #1
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.